DPDPsecured
Sign InSign Up Free
← All articles
DPDP in Practice · 4 min read

Does the DPDP Act Apply to One Person Companies? The Honest Answer

The Short Answer

Yes.

The DPDP Act, 2023 does not ask how many people are in your company. It asks one question: do you collect or process digital personal data of individuals in India?

If you are a One Person Company with a client list, a website contact form, or an email newsletter — the answer is yes. The Act applies to you.

Why the Question Gets Asked

It is a fair question. The DPDP Act reads like legislation designed for large organisations — data protection officers, impact assessments, algorithmic audits. A One Person Company is typically one founder, a laptop, and a handful of clients. The idea that the same framework applies feels disproportionate.

But the Act draws no such line. No revenue threshold. No employee minimum. No turnover exemption. If you process personal data of individuals in India, you are a Data Fiduciary. The obligations follow.

Read alsoWho is a Data Fiduciary Under the DPDP Act?

What Personal Data Does a Typical OPC Actually Hold?

More than most founders think.

Client data. Names, email addresses, phone numbers. Even business contact details of named individuals — a procurement manager, a project lead — constitute personal data under the Act.

Prospect data. Anyone in your outreach list or pipeline whose details you collected to pitch your services.

Vendor and contractor data. Freelancers and service providers whose bank account details or personal information you hold for payment purposes.

Website visitors. If your website uses Google Analytics, a contact form, or any cookie-based tool, you are collecting personal data.

Newsletter subscribers. Every email address on your mailing list is personal data with a consent requirement attached.

What the Act Requires of You

The obligations are identical to those of any Data Fiduciary. What compliance looks like at OPC scale, however, is practically very different from what it looks like at enterprise scale.

Valid consent. Wherever you collect personal data — a contact form, a newsletter sign-up, a client onboarding document — you need a clear notice and an affirmative consent action.

Purpose limitation. A client's email address collected to deliver your service cannot be added to your marketing list without separate consent.

Reasonable security. You are not expected to run an enterprise security operation. You are expected to take basic, sensible precautions — encrypted storage, strong passwords, not keeping client data in an unprotected spreadsheet on a shared drive.

Data retention. When a client engagement ends, how long do you keep their data? You need a simple answer and a habit of following it.

Breach notification. If your systems are compromised and client data is exposed, you must notify the Data Protection Board. Size is not an exemption from this requirement.

The Practical Reality

The Data Protection Board will not be investigating one-person consultancies ahead of large platforms processing millions of user records. Enforcement resources will naturally concentrate on higher-risk, higher-volume actors first.

But two things remain simultaneously true: you are unlikely to be the Board's first target, and the law still applies to you. Operating on the assumption that you are too small to matter is a reasonable practical judgement, not a legal position.

Compliance at this scale is not about the regulator. It is about being the kind of business that operates to a standard.

Three Things to Do This Week

One. Add a simple privacy notice to your website and contact form. Tell visitors what data you collect, why, and how they can ask for it to be deleted. This takes under an hour.

Two. Review your client onboarding. Are you collecting information you do not genuinely need? Does your engagement letter or contract say anything about how you handle client data? If not, add a short clause.

Three. Decide how long you retain client and prospect data — and set a calendar reminder to delete what you no longer need. Once a year is enough for an OPC.

That is DPDP compliance at OPC scale. It is not a project. It is an afternoon.

Read alsoThe DPDP Act Compliance Checklist: 10 Things Your Business Needs to Have in Place

The Bottom Line

The DPDP Act applies to One Person Companies. The obligations are real, the penalties exist, and size is not an exemption.

The compliance effort required at your scale, however, is genuinely small. The businesses that will struggle are not the ones without resources — they are the ones that assumed the law did not apply to them and built nothing. You now have no reason to be in that group.

Read alsoDoes the DPDP Act Apply to Startups? The Honest Answer
Published by DPDPsecured — compliance intelligence for Indian businesses.
Published by DPDPsecured — compliance intelligence for Indian businesses.